Create a list of the keys/values you want to search and supply them to the 'Printkey' plugin (http://code.google.com/p/volatility/wiki/CommandReference#printkey)

Additionally, depending on what you're searching against you can use Autoruns and parse its contents or if you want a GUI search, try Registry Decoder.

-- 
Glenn P. Edwards Jr.
GREM, GCFA, GCIH

On Tuesday, May 15, 2012 at 6:38 PM, Mike Lambert wrote:

One thing we need to do is search the registries for the keys that autorun malware.
 
Does anyone know of a free tool that will do that?  I'm currently using Encase to do that but it is and expensive solution.
 
Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search.
 
Mike
 
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users